If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Fascinating Honeypot Result

Hey all - I've begun to examine the data I've captured from my recent honeypot experiments, and have come across something I'd like to show you.

In my final honeypot, I had the following machine exposed to the internet:
-Windows XP (clean install, no patches or service packs)
-DSL connection
-Uptime: Approx 10hrs 15min
-No shares with null passwords
-No firewalls
-No server services running

I was mimicing a home PC with no/little security considerations. This was the third of three deployments (I cycled the DSL between each to ensure a different IP address was assigned to each host). Data capture was done with gateway logs, for incoming and outgoing connection addresses, Etheral for packet dump, and Snort IDS for alert logging.

The W32.gaobot worm eventually brought the PC down when if forced a reboot via the famous RPC exploit, but that's not the interesting part.

18 minutes into the deployment the honeypot starts getting pounded with SYN packets from a single address. This continues for 2 hours and 19 minutes, and effectively kills any and all other communication with the outside world.

Thereafter, the traffic returned to the expected NetBIOS scans, etc., leading up to the W32.gaobot compromise. This makes me think of a possible strategic scenario:
1) automated scan finds a vulnerable host.
2) DOS launched against host to disallow any others from compromising it until decision can be made.
3) decision is made to compromise host, DOS is stopped, host is compromised.

As I noted, I've changed IP addresses (and operating systems/footprints) between each honeypot, so I don't believe someone would know it's another honeypot and DOS it out of spite.

What's your opinion? I've not seen signatures of DOS attacks in the past, but the scenario above makes some sense to me.. Here's the dump of a single packet from the questionable traffic:

Interesting project, and yes that approach could well be taken by an attacker. There have been a couple of studies like this conducted and it is amazing the amount of malicous traffic that hits these servers. This is one of the problems when you first implement an IDS on a large corp network, if you put a sensor outside the firewall you see huge volumes of traffic, takes a while to tweak the IDS.

Are you seeing the SYN packets against any particular ports? or across the full range?

Thats silly tho...
OOOH a open box! Its MINE I say! MINE MINE MINE!
Daffy duck syndrome.
I just find that amazing someone would DoS it so no one else can hack it... lol
guess if you want to zombie it, you gotta "claim" it... sheesh

Remember -
The ark was built by amatures...
The Titanic was built by professionals.

The SYN packets are only coming against TCP 4984-4987, in a seemingly random order (doesn't start and cycle one way). Perhaps this could mean there were more than one hosts sending the packets? (well, that's a shot in the dark assumption to make)

I could see someone DOS a host to grab a machine.. the larger your BOT network, the more powerful your DDoS atacks would be - or as Tedob1 said it would be a great use for a spammer.

I failed to mention, but there only traffic that actually broke through (and only twice in that two hours) were single ping ECHO requests from a particular host (Snort tagged them as being from the CyberKit suite). From a recon perspective, this could the actual attacker checking to see if the machine is still online, as a DOS attack with forged SYN packets would send my honeypot's responses into space... I'm going to check into this more this evening.